Friday, December 22, 2017

IcedID Expanding Target List

Although ransomware has been getting all the headlines in the news, banking trojans continue to be an issue. New variants are constantly evolving and offering new risks. At UAB, we have been looking closely at banking trojans such as Ramnit, TrickBot, IcedID and so on. Recently, Cliff Wilson, malware analyst at UAB malware lab, contributed in establishing that TrickBot is spamming. TrickBot was silent for the past week, so he was asked to take a dive in at IcedID banking trojan.

IcedID Banking Trojan

This analysis focuses on the malware sample with the hash:
3f4d7a171ab57b6c280ad4aed9ebf8f74e5228658cb4a576ada361a7d7ff5df4

This sample is identified by ESET as "Win32/Spy.Icedid.A", although many AV engines, including Ahn, Aegis, and Kaspersky, refer to it as being part of the Andromeda family. As with most malware, most AV engines offer the meaningless identifier "Generic" such as AVG (Win32:Malware-Gen), McAfee (Generic Trojan.i), Symantec (Trojan.Gen.2), TrendMicro (TROJ_GEN.R002C0WL517),

While testing this sample, we noticed the same behavior we have observed before: web injects and phishing pages on financial websites. During further analysis of the IcedID process and its web-injects, Cliff made an interesting observation.

The URL https[:]//financebankpay[.]com/ was found in the web-injects and contains dozens of ‘mock’ web pages and phishing pages to IcedID’s targeted sites. The pages we have observed in the past IcedID sample were present: pages for Discover, Citi, Chase, Amazon, Amex and few others. Several new pages were discovered, which we had not observed before.

FinanceBankPay.com was purchased from Chinese registrar EraNet and hosted on a Russian IP address. The WHOIS information was bogus, borrowing the name of a man from Texas, but saying he lived in the city of "Kileen" with the state "DK", using a throw-away email from "pokemail.net" for his WHOIS email address.

When visiting a targeted URL, the webinject was loaded by the malware by pulling a page from FinanceBankPay.com from one of the following paths, and presenting it as if it were content from the true brand.

A few examples of the new emulated pages with injected code are as follows.

Gmail

https://www.financebankpay[dot]com/gmail/

Fig. 1: Login Page for Google Account

The google web-inject can be reached by trying to login through any Google service (Gmail, Hangouts, Youtube) when infected with IcedID

Outlook

https://www.financebankpay[dot]com/live/

Fig. 2: Login Page for Outlook

US based banks

https://www.financebankpay[dot]com/citiCards/

Fig 3. Stealing credit card details and PIN for a US bank

https://www.financebankpay[dot]com/wellsoffice/

Fig. 4: Business Portal Login for US Based Bank

Additional findings

This sample, along with other recently tested IcedID samples exhibited these similar behaviors.

created the directory \onaodecan in \AppData\Local

created “sonansoct.exe” within this directory

soon after created a .TMP file within \AppData\Local\Temp

opened this file as a process, then closed the main process

this file was updated throughout the testing period

other .TMP files were also created, but not executed (further analysis of these files is needed)

any visited URL could be found in the memory strings of the .TMP process after visiting

Researchers will continue to provide regular and interesting updates about the different types of Banking Trojans floating in the wild. We need a consistent and combined effort from all the financial institutions to deal with such a malaise for the banking sector and end users.